Amazon Again Beats IBM For CIA Cloud Contract

IBM maneuvering over 10-year, $600 million CIA contract doomed its protest, in eyes of court.

When Amazon.com won a ruling last week that that upheld Amazon Web Service's winning bid for a $600 million CIA contract, it issued a low-key response: "We look forward to a successful relationship with the CIA."

IBM on Feb. 26 had protested the award on the grounds its own bid to build and operate a dedicated, private cloud facility for the CIA was $54 million lower than Amazon's bid. The Government Accountability Office then reviewed the bids, and collected legal briefs from the two parties through April and May. After a May 14 evidentiary hearing, the GAO issued a 505-page report on June 6 upholding the IBM protest in part.

The CIA began to follow the GAO finding and reopened negotiations, soliciting revised, final proposals. Amazon filed suit July 24 in the U.S. Federal Court of Claims, saying the CIA's corrective action was "overbroad, unreasonable and in violation of federal law and regulation." It also objected to competing with IBM again on an even footing after so much of its bid information had been disclosed to IBM in the bid debriefing process. The decision by the Court of Claims was in reaction to that filing.

The court issued a bench ruling awarding the CIA's C2S contract once again to Amazon, "due to the urgency and importance of the C2S." The CIA would like to get its facility built to that it may analyze 100 TBs of raw data at a time through a MapReduce-style system. MapReduce originated at Google and distributes data to server disks in a cluster, then requires the data located close to the server CPU to be processed there. Hadoop uses MapReduce along with its own file system.

But the written ruling offers some explanation for the original CIA award Feb. 14 and the Oct. 7 bench ruling in Amazon's favor.

"As a threshold matter, IBM lacked any chance of winning a competition with AWS for this C2S contract," the ruling said, and therefore it lacked standing to claim prejudice in the way the contract had been awarded. The GAO failed to assess whether IBM had the standing to file the protest that it did, said the ruling.

The court also objected to GAO failing to spot maneuvering by IBM's lawyers. "The GAO failed to address the way in which IBM manipulated its pricing to create a bid protest issue," it said. IBM "drastically departed from the approach followed in its initial proposal when it came to submitting its final proposal revision" for one set of requirements, known as Scenario 5. IBM had closely questioned the CIA on what it expected from the Scenario 5 requirements. By revising its final bid on Scenario 5, it gained the position to "argue that the agency did not evaluate Scenario 5 prices on a common basis. IBM was the only offeror who appeared to 'misunderstand' the Scenario 5 pricing requirements," the court said.

During the case, IBM lawyers had strongly objected to the representation that it had manipulated the bidding process to create a protest issue. But the court "does not see any other explanation for IBM's final pricing strategy," the ruling said.

Several cloud providers had expressed interest in bidding on the CIA contract, actual bids were submitted only by IBM and Amazon. "The agency deemed Amazon's proposal superior to IBM's proposal in every category except management, and except for 'security' where each proposal received a 'pass' rating," the ruling said.

In a demonstration of its technical approach, Amazon Web Services won a "very good" rating and IBM, "marginal." In its proposed management approach, however, IBM won the "very good" rating from the CIA, while Amazon was rated, "satisfactory." When all factors were considered together, the risk of going with Amazon was deemed "low," while the risk of going with IBM was deemed to be "high."

And even though IBM had bid the lower price, the CIA evaluators noted that it had requested a first year minimum payment on the contract of $39 million, or double the amount it was likely to spend, meaning the CIA would be forced to make a year-end payment on services that it had not yet received. Evaluators then noted IBM by its terms would be allowed "to request restructuring of the entire agreement after year two." These terms allowed IBM to propose a low price for the agency's evaluation purposes, but then to argue for negotiation of a higher price in the later years of performance."

The evaluation left the CIA with the conclusion that Amazon had submitted the better bid.

I have been appalled by the tactics that Sales Teams (Amazon and IBM included) use to win a bid. There is the winning bid, but inside that bid, there is a clasuse that allows companies to re-asses equipment technology prior to the start of the project. This practice normally results in the company "recommending" a solution that should have been submitted, but would have lost due to the cost of the better equipment. I have been with two companies that have performed in this manner. When asked why? The answer, its a standard practice that all companies use. The same answer from two different companies, there has to be some truth to it.

I would hope that Amazon presented a bid that will not escalate in price 12 months into the project and that their bid provided the best equipment for the job.

Certainly reliability is a major factor but let's stay focused on your original statement regarding security. Amazon has a lot of experience with operating a massive on-line business that stores credit cards. Surely they've learned a few real world things about keeping that data secure. There have been reports of a few issues over the years but it seems nothing so significant as to lose customer trust. Individual accounts will always be compromised since they are only as secure as their owners and the strength and secrecy of their password practices. In 2011, they had some kind of security issue that affected portions of their customer's cloud.

I really don't know about IBM's cloud. How big is it vs. Amazon? If it's relatively new or small, we'll need a longer track record and growth to genuinely determine whether or not IBM has some kind of intrinsic advantage stemming from internal expertise, best practices and experience.

IBM has a security solution division, and has been part of the global community helping to track and manage security issues for decades. This is not just about a platform but understanding all the potential threats and security exposures. In addition, Amazon has had some quite visible downtime in their cloud deployment and that would also seem to be an issue here as well.

As I stated above, their cloud seems to offer x86-based tech. This type of cloud hasn't been around long enough to give IBM any intrinsic advantage. Unless we believe they have somehow baked their decades of mainframe and mid-range security expertise into this newer tech, at best it's inconclusive to assume their offering is more secure than Amazon.

IBM has been making enterprise environments secure for more years than Amazon has been in existence. Amazon itself says security is important, but security is just one of several key fields that it's had to master in 6-7 years of public cloud ops.

Such crafty terms come from decades of experience with business contracts. Perhaps this is something Amazon is still learning and in this case, it might have been an advantage to lack such experience.

Odd vendor terms are common from old-guard IT suppliers. 10 years ago when I was heavily involved in such contracts for software services, it was common for vendors to literally give stuff away in exchange for lengthy maintenance contracts. They were much more interested in recurring revenue than initial revenue. At first this seems attractive since it's much easier to expense smaller maintenance fees over five years than gain approval for a large capital expense. Unfortunately this can be like mobile phone contracts that tie your phone to the same carrier even though you want to make a move. Further it can be more cost effective to choose an inferior product from the same vendor rather than the best from a competitive vendor. Sometimes the product is good enough and other times it's a waste of money and you have to go back and get the best product. Now you have a product that you don't use and it's still on the books for several more years of maintenance.

For an unrelated article reviewing IBM's cloud offerings, I went to IBM's cloud site last week. I noted they offered Linux and Windows. This seems to imply their current cloud expertise might be dominated by x86. If true, why would IBM's x86 offerings be more secure than Amazon's?

The lesson I would take away here is that cloud vendors are likely to present very complicated, many-layered proposals that may veil potentially expensive terms. The prominent price tag on the executive summary page may have been lower, but the fine print inside said $39 million for the first year. Cloud buyer beware!

In addition to the legal maneuvering that the court highlighted, I'm surprised by the fact that Amazon and IBM obtained equal "pass" ratings on security. I would have guessed IBM had more of an advantage there.

Enterprise cloud adoption has evolved to the point where hybrid public/private cloud designs and use of multiple providers is common. Who among us has mastered provisioning resources in different clouds; allocating the right resources to each application; assigning applications to the "best" cloud provider based on performance or reliability requirements.